With the Digital Omnibus, European legislators are planning important changes to the GDPR. Below is a brief overview of the current proposal for key changes:
- Definition of personal data
The definition is to be clarified: in future, data will only be considered personal if the respective body actually has the means to identify a person. If this cannot reasonably be expected, the data would not be considered personal, even if another body could identify the person.
- Processing of terminal device data & online tracking
The current requirements for the storage of and access to terminal device data from the ePrivacy Directive are to be transferred to the GDPR.
Consent is required for the storage of and access to terminal device data, for example through cookies. Exemptions are to be made for technically necessary purposes, such as communication transmission, expressly requested services, internal reach analyses and the maintenance of security.
If the user receives a request for consent, it should be possible to refuse with just one click in future. If consent is refused, the request may not be repeated for at least 6 months; once consent has been given, the request may not be repeated within the period of validity of the consent.
- Machine-readable consent signals and PIMS
In future, websites and apps could be obliged to allow consent, refusals and objections to be given in a machine-readable, automated form. This opens up the possibility of using privacy-friendly consent management systems (PIMS).
- Legitimate interest for AI systems
The processing of the personal data for the operation and development of AI systems could be possible in future on the basis of legitimate interests. However, additional technical and organisational measures such as data minimisation, transparency and an unconditional right of objection would remain in place for business.
- Reporting obligation for data breaches
In future, the obligation to report to supervisory authorities will only apply to data breaches that pose a high risk to data subjects. In addition, the reporting deadline is to be extended to 96 hours and there are plans to standardise reporting via central contact points.
Recommended action and timeframe
The legislative process is currently still in the consultation phase, which will run until 11 March 2026. According to the Commission, adoption by the Commission is planned for the first quarter of 2027. It is unclear whether and in what form the planned changes will be adopted. We recommend carefully monitoring further developments and preparing for possible adjustments to internal company processes. We will keep you informed of further developments.